Germany sees growing cyber threat but lacks legal means to retaliate

The word 'password' is pictured on a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

By Andrea Shalal

BERLIN (Reuters) - The German government is scrambling to respond to a serious and growing threat of cyber attacks, but it lacks the legal framework to retaliate with cyber attacks of its own, top officials said on Monday.

Cybersecurity is a major concern for Berlin as a Sept. 24 federal election approaches. German intelligence agencies said in December Russia was seeking to use propaganda, cyber attacks and other means to destabilise German society before the vote.

"Cyber is what keeps me up at night," Deputy Defence Minister Katrin Suder told reporters at an event hosted by the Federal Academy for Security Policy, a government training body. "This is not science fiction anymore ... It is a topic of immense and growing importance."

Suder said the German military was making progress with a new cyber command that starts operations on Wednesday, and control over cyber functions that had been scattered across the military had become more centralised.

She underscored the division of responsibilities between the military and the Interior Ministry, which is responsible for domestic cyber attacks, adding that the Bundeswehr itself would call the police if it suffered a major cyber attack.

Suder said the military would only retaliate after a large-scale attack on Germany if parliament ordered it to. She rejected some lawmakers' concerns about insufficient oversight of the various governmental arms involved in cybersecurity.

"Existing laws apply, even in cyberspace," she said, noting that any offensive cyber measures would come as part of military mandates that had already been approved by parliament. "The rules are very clear and we observe them."

But Agnieszka Brugger, a member of the pro-environment Greens who serves on the defence committee, said the ministry's decision to sanction offensive measures raised risks that had not been fully considered. The military should focus more on defending its own weapons and computer systems, she said.

Brugger also questioned how the new cyber command's work would intersect with that of the BND foreign intelligence service, the BSI cyber security agency and other bodies.

"We need a single parliamentary control body that has the overview of all operations. The current fragmented legal authorities and the multitude of actors result in grave gaps in control," she told Reuters. "Many legal questions are unclear."

Andreas Koenen, head of the cyber security directorate at the Interior Ministry, agreed, telling the conference that Berlin so far lacks an adequate legal basis for counter-attacks. New legislation was unlikely to be approved before the September elections, he said.

"No agency is explicitly empowered to carry out such measures," he said. "We don't have a legal basis. We might get the technical capabilities together at the last minute."

Thomas Wriessnig, vice president of the Federal Academy for Security Policy, said it was clear that more work was needed to prepare for a large-scale cyber attack.

"Clearly there are deficits and something has to happen. We're not ready for a broad attack."